Environment
- EDR Server: 7.4 and higher
- EDR Windows Sensor: 7.2 and higher
Question
How can Tamper Protection be enabled and what is the impact on the endpoints?
Answer
- Tamper Protection can be enabled per-group in the EDR Console > Sensors > Edit Group Settings > Advanced. Modify the Tamper Protection Level to Protection, Detection or Disable.
- No performance impact on the endpoints.
- In Protect mode the following files are protected:
* Starting/stopping the CB Windows sensor services
* Modifying the C:\Windows\CarbonBlack files; Users have no access
* Modifying C:\Windows\system32\drivers\cbk7.sys and cbstream.sys
* Modifying C:\Program Files (x86)\CarbonBlack\CbEDRAMSI.dll
* Modifying C:\Program Files\CarbonBlack\CbEDRAMSI.dll
* Modifying CarbonBlack registry keys
Additional Notes
- Review the knowledge base article EDR: Which Sensor directories need exclusion from third-party anti-virus scans to make sure that the latest Carbon Black EDR Windows sensor exclusions are in place before enabling Tamper Protection.
- Minimum requirements are Windows 10 v1703 (Desktop) or Windows Server v1709 (Windows build 15163). Any Windows sensor in a sensor group that has Tamper Protection applied and that does not meet the minimum OS requirements will default to Tamper Detection.
- Enabling Tamper Protection on both Carbon Black App Control and Carbon Black EDR does not provide extra protection. We recommend that you disable Carbon Black App Control enforcement of Tamper Protection after Carbon Black EDR Tamper Protection enforcement is in place.
- Download and review Engineering Overview of Tamper Protection document: https://transfer.vmware.com/download?domain=carbonblack&id=d3c24998d3f442bc8e9dcd202652d7e9&out=zip
- Review Managing Sensors > Tamper Protection of Windows Sensors in the 7.7 User Guide or higher for details on configuration fields for the new Tamper Protection Feature.
Related Content